The Hacker News

on Wednesday, 2 October 2013
 

 

The Hacker News
The Hacker News has been internationally recognized as a leading news source dedicated to promoting awareness for security experts and hackers // via fulltextrssfeed.com

Yahoo! discourages Security Researchers with just $12.50 bug bounty for vulnerability reporting
10/2/2013 7:37:00 AM

Today more and more companies are looking for external security researchers to help identify vulnerabilities and weaknesses in their applications through Bug Bounty Programs. While companies like Facebook and Google are paying out hundreds of dollars to researchers for reporting security vulnerabilities, But according to Yahoo! Your email's security worth only $12.50 !

Yahoo is not having very good run in the reputation department when it comes to user security. Researchers at High-Tech Bridge found a few bugs, and were not exactly impressed with Yahoo's reward.

They pointed out cross-site scripting (XSS) flaws affecting two Yahoo domains and in return they received $12.50 bounties for each vulnerability they found. This amount was given as a discount code that can only be used in the Yahoo Company Store, which sells Yahoo's corporate T-shirts, cups, pens and other accessories.

This isn't exactly a great reward for spending time reporting security vulnerabilities, and therefore doesn't encourage researchers to spend time doing so for Yahoo! Services.

Ilia Kolochenko, High-Tech Bridge CEO, says: "Paying several dollars per vulnerability is a bad joke and won't motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price. Nevertheless, money is not the only motivation of security researchers."

"If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo's customers can ever feel safe."


All of the vulnerabilities have since been patched by Yahoo and they responded, "Unfortunately this submission does not qualify for a reward because it has already been reported by another individual. Please continue to send in any other vulnerabilities that you may discover in the future."

Author

photo of Wang Wei

has been a security consultant for the government, financial securities, banks. Working as Researcher with The Hacker News. He is also a renowned speaker on the subject of 'Exploit Writing'. He is Malware analyst, Freelancer Penetration Tester, Cloud Computing, Mobile application & Software Developer. Follow him @ Twitter | |

Popular Stories

 

You are receiving this email because you subscribed to this feed at feedmyinbox.com

If you no longer wish to receive these emails, you can unsubscribe from this feed, or manage all your subscriptions

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)